cisco pix firewall release notes version 6.3(4) collection/pix...cisco pix firewall release notes...
Post on 11-Mar-2018
236 Views
Preview:
TRANSCRIPT
tionng
Cisco PIX Firewall Release Notes Version 6.3(4)
July 2004
ContentsThis release is provides new features and fixes for a variety of PIX Firewall models and configuramodes, including new VLAN support, AAA fallback administration, and improved syslog messagiand ip address privacy. This document includes the following sections:
Note For more information on the NAT ID rules caveat, refer to “Important Notes” in the Cisco PIX FirewallRelease Notes Version 6.3(2).
• Introduction, page 1
• System Requirements, page 2
• New and Changed Information, page 5
• Important Notes, page 23
• Caveats, page 26
• Related Documentation, page 31
• Obtaining Documentation, page 31
• Obtaining Technical Assistance, page 33
• Obtaining Additional Publications and Information, page 34
IntroductionThe PIX Firewall delivers unprecedented levels of security, performance, and reliability, includingrobust, enterprise-class security services such as the following:
• Stateful inspection security, based on state-of-the-art Adaptive Security Algorithm (ASA)
• Over 100 predefined applications, services, and protocols for flexible access control
Corporate Headquarters:
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
System Requirements
ds
he
) to
DM,new
ve a
its
• Virtual Private Networking (VPN) for secure remote network access using IKE/IPSec standar
• Intrusion protection from over 55 different network-based attacks
• URL filtering of outbound web traffic through third-party server support
• Network Address Translation (NAT) and Port Address Translation Support (PAT)
Additionally, PIX Firewall Version 6.3 software supports Cisco PIX Device Manager (PDM)Version 3.0 and adds enhancements to features introduced in earlier releases.
System RequirementsThe sections that follow list the system requirements for operating a PIX Firewall with Version 6.3software.
Memory RequirementsThe PIX 501 has 16 MB of RAM and will operate correctly with Version6.1(1) and higher,while all otherPIX Firewall platforms continue to require at least 32 MB of RAM(and therefore are also compatible withversion 6.1(1) and higher).
In addition, all units except the PIX 501 and PIX 506E require 16 MB of Flash memory to boot. (TPIX 501 and PIX 506E have 8 MB of Flash memory, which works correctly with Version6.1(1) andhigher.)
Table 1 lists Flash memory requirements for this release.
Software RequirementsVersion 6.3 requires the following:
1. The PIX Firewall image no longer fits on a diskette. If you are using a PIX Firewall unit with adiskette drive, you need to download the Boothelper file from Cisco Connection Online (CCOlet you download the PIX Firewall image with TFTP.
2. If you are upgrading from Version 4 or earlier and want to use the Auto Update, IPSec, SSH, Por VPN features or commands, you must have a new 56-bit DES activation key. Before getting aactivation key, write down your old key in case you want to retrograde to Version 4. You can hanew 56-bit DES activation key sent to you by completing the form at the following website:
Table 1 Flash Memory Requirements
PIX Firewall Model Flash Memory Required in Version 6.3
PIX 501 8 MB
PIX 506E 8 MB
PIX 515/515E 16 MB
PIX 520 16 MB (Some PIX 520 units may need a memory upgrade because older unhad 2 MB, though newer units have 16 MB)
PIX 525 16 MB
PIX 535 16 MB
2System Requirements
OL-6317-01
System Requirements
wn
aDM
uchikely
r
)T
http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324
3. If you are upgrading from a previous PIX Firewall version, save your configuration and write doyour activation key and serial number. Refer to“Upgrading to a New Software Release” for newinstallation requirements.
Maximum Recommended Configuration File SizeFor the PIX 525 and PIX 535, the maximum configuration file size limit is increased to 2 MB forPIX Firewall software Versions 5.3(2) and later. For other PIX Firewall platforms, the maximumconfiguration file size limit is 1 MB. Earlier versions of the PIX 501 are limited to a 256 KBconfiguration file size. If you are using PIX Device Manager (PDM), we recommend no more than100 KB configuration file because larger configuration files can interfere with the performance of Pon your workstation.
While configuration files up to 2 MB are now supported on the PIX 525 and PIX 535, be aware that slarge configuration files can reduce system performance. For example, a large configuration file is lto noticeably slow execution times in the following situations:
• While executing commands such aswrite term andshow conf
• Failover (the configuration synchronization time)
• During a system reload
The optimal configuration file size for use with PDM is less than 100 KB (which is approximately1500 lines). Please take these considerations into account when planning and implementing youconfiguration.
Cisco VPN Software Interoperability
Cisco VPN Series Interoperability Comments
Cisco IOS Routers PIX Firewall Version 6.3 requires Cisco IOS Release 12.0(6or higher running on the router when using IKE ModeConfiguration on the PIX Firewall.
Cisco VPN 3000 Concentrators PIX Firewall Version 6.3 requires Cisco VPN 3000Concentrator Version 2.5.2 or higher for correct VPNinteroperability.
3Maximum Recommended Configuration File Size
OL-6317-01
System Requirements
nt
t
er
vert
te
ote
n
rter
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Cisco Easy VPN Server Interoperability
Determining the Software VersionUse theshow version command to verify the software version of your PIX Firewall unit.
Cisco VPN Client Interoperability Comments
Cisco Secure VPN Client v1.x PIX Firewall Version 6.3 requires Cisco Secure VPN ClieVersion 1.1. Cisco Secure VPN Client Version 1.0 and 1.0aare no longer supported.
Cisco VPN Client v3.x
(Unified VPN Client Framework)
PIX Firewall Version 6.3 supports the Cisco VPN ClientVersion 3.x that runs on all Microsoft Windows platforms. Italso supports the Cisco VPN Client Version 3.5 or higher tharuns on Linux, Solaris, and Macintosh platforms.
Cisco Easy VPN Remote Interoperability Comments
PIX Firewall Easy VPN Remote v6.3 PIX Firewall software Version 6.3 Cisco Easy VPN Servrequires PIX Firewall software Version 6.3 Easy VPNRemote.
VPN 3000 Easy VPN Remote v3.6 PIX Firewall software Version 6.3 Cisco Easy VPN Serrequires the VPN 3000 Version 3.6 Easy VPN Remote tharuns on the VPN 3002 platform.
Cisco IOS Easy VPN Remote Release12.2(16.4)T
PIX Firewall software Version 6.3 Cisco Easy VPN Serverinteroperates with Cisco IOS 806 Easy VPN RemoteRelease (16.4)T.
Cisco Easy VPN Server Interoperability Comments
PIX Firewall Easy VPN Server v6.3 PIX Firewall software Version 6.3 Cisco Easy VPN Remorequires a PIX Firewall Version 6.3 Easy VPN Server.
VPN 3000 Easy VPN Server v3.6.7 PIX Firewall software Version 6.3 Cisco Easy VPN Remrequires VPN 3000 Version 3.6.7 Easy VPN Server.
Cisco IOS Easy VPN Server Release12.2(15)T
PIX Firewall software version 6.3 Cisco Easy VPN Remoteworks with Cisco IOS Release 12.2(15)T Easy VPN Server iIKE pre-shared authentication and does not work withcertificate. It is expected to interoperate using certificate, afteCSCea02359 and CSCea00952 resolved and integrated in laversions of Cisco IOS Easy VPN Server.
4Cisco VPN Client Interoperability
OL-6317-01
New and Changed Information
stces,
in
annot
ew
Upgrading to a New Software ReleaseIf you have a Cisco Connection Online (CCO) login, you can obtain software from the followingwebsite:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix
New and Changed Information
New Features in Release 6.3(4)Release 6.3(4) includes the following new features:
VLAN Support Added to the PIX 506/506E, page 5
AAA Fallback for Administrative Access, page 5
SNMP Fixup, page 6
IKE Syslog Support Improved, page 6
New Syslog Messaging for AAA authentication, page 6
SIP IP Address Privacy Enhancement, page 6
New Ability to Assign Netmasks with Address Pools, page 6
VLAN Support Added to the PIX 506/506E
This release introduces VLAN support for PIX 506/506E, enabling these platforms to be a low-coDMZ enabled solution. With this new PIX support, users may implement additional logical interfaallowing them to securely host an external Web site, a secure email server, or even an extranet.
By adding support for the IEEE 802.1q VLAN tags, 506/506E Firewalls now feature added flexibilitymanaging and provisioning the firewall. This feature enables the decoupling of IP interfaces fromphysical interfaces, making it possible to configure logical IP interfaces independently.
VLAN feature support is added to theinterface command.
• A maximum of two logical interfaces may be configured on the 506/506E, thus providing amaximum of four interfaces (2 physical and 2 logical) on these platforms.
• When 506 and 506E are used as VPN hardware clients, logical interfaces on the 506/506E cbe used to initiate a VPN tunnel.
• If the VLAN ID is set to 4095, the interface name cannot be modified with thenameif command. Itmay not be appropriate to use VLAN ID 4095 because of this issue.
For configuration information, refer to “Configuring PIX Firewall with VLANs” in the Cisco PIXFirewall and VPN Configuration Guide.For a complete description of the command syntax for these ncommands, refer to theCisco PIX Firewall Command Reference.
5Upgrading to a New Software Release
OL-6317-01
New and Changed Information
serisco
cess:
hich
eventlow for
eforecies.
tside
fixup.
andredg on
AAA Fallback for Administrative Access
This release introduces the ability to authenticate and authorize requests to fall-back to a local udatabase on the PIX Firewall. The requirements and design will factor future compatibility with CIOS-like “method list” support for the PIX Firewall, and deliver the addition of the LOCAL fallbackmethod.
The following commands are now enhanced to create a fallback scenario for AAA administrative ac
aaa authentication console
A. aaa authorization command
A. aaa authorization match
aaa server
crypto map command
[no] aaa-server <tag> max-failed-attempts <number>
[no] aaa-server <tag> deadtime <minutes>
SNMP Fixup
This release introduces SNMP traffic inspection capabilities, enabling administrators to specify wSNMP version packets are permitted or denied passage through a PIX Firewall.
The following commands were added modified to support this new feature:
snmp deny version
fixup protocol snmp
IKE Syslog Support Improved
This release introduces a small enhancement to IKE syslogging support and a limited set of IKEtracing capabilities for scalable VPN troubleshooting. These enhancements have been added to alnew syslog message generation and improved IKESMP command control.
New Syslog Messaging for AAA authentication
This release introduces a new AAA syslog message, which prompts users for their authentication bthey can use a service port. This syslog improvement is based on prior configured PIX Firewall poliThe added syslog is as follows:
%PIX-3-109023: User from src_IP_Adress/src_port to dest_IP_Address/dest_port on interface oumust authenticate before using this service
SIP IP Address Privacy Enhancement
This release introduces an enhancement to PIX Firewall IP address privacy issues that affect SIPPhones connected on the same interface of the PIX Firewall should not have any direct P2Pcommunication. This feature eliminates the ability of a third party computer to take control of (SIP)voice (RTP/RTCP) traffic flow through the PIX Firewall. Using the PIX Firewall to create the requipin holes for voice traffic, we can eliminate any direct P2P communication between phones workina PIX Firewall. The new command that provides this functionality is called:
6New Features in Release 6.3(4)
OL-6317-01
New and Changed Information
s notrade,
The
e and
ent
sip ip-address-privacy
New Ability to Assign Netmasks with Address Pools
This release introduces the ability to define a subnet mask for each address pool and pass thisinformation onto the client. The command to define a subnet mask for a local ip pool is:
ip local pool <name> <range> [mask <mask>]
The command which lets you see if a local subnet mask has been defined is:
show ip local pool
Note Downgrade Issue if this feature is implemented: If you downgrade to a software version that doehave this new feature, address ranges will be loaded without the defined subnet mask. If you downgsave the configuration, then upgrade, the masks will not be set or returned to the client.
New Features in Release 6.3(3)This release is mainly to fix the Network Address Translation (NAT) ID rules caveat (CSCeb84163).new feature in Release 6.3(3) is:
• PIX Outbound/Conduit Conversion Tool, page 7
PIX Outbound/Conduit Conversion Tool
Beginning with Version 5.3, the PIX Firewall uses access lists to control connections between insidoutside networks. Access lists are implemented with theaccess-listandaccess-groupcommands. Thesecommands are used instead of theconduit andoutbound commands, which were used in earlierversions of PIX Firewall software. In major software releases after Version 6.3, theconduit andoutbound commands are no longer supported. To migrate an obsolete PIX configuration file thatcontainsconduit andoutbound commands to a supported configuration file that contains the equivalaccess-list commands, a tool is available to help with the conversion process:
• https://cco-dev.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl (online tool)
• http://www.cisco.com/cgi-bin/tablebuild.pl/pix (download tool)
New Features in Release 6.3(2)The new features in Release 6.3(2) are:
• Policy NAT, page 8
• Ability to Configure TFTP Fixup, page 8
• DNS Fixup, page 8
• MIB Support, page 8
• Support for Instant Messaging Using SIP, page 9
• Enhanced Show Failover Command, page 9
• Incomplete Crypto Map Enhancements, page 9
7New Features in Release 6.3(3)
OL-6317-01
New and Changed Information
ffic to anify a
. To
er
nd
FTP
e
acket.
um
r
• Infinite Isakmp Phase 1 Lifetime Support, page 9
• Enhanced Show Version Command, page 10
• Per-user-override, page 10
• Enhanced Fixup Protocol Command, page 11
• Enhanced aaa proxy-limit, page 11
Policy NAT
PIX Firewall Version 6.3(2) introduces Policy Network Address Translation (NAT).Policy NAT allowsyou to identify both the source and destination addresses in an access list when specifying the local tratranslate. This feature lets you use different global addresses for each source and destination pair oninterface, even if the source address is the same for each pair. Without policy NAT, you can only specsingle global address for a given source address, because the destination address is not consideredconfigure policy NAT, use either thestatic or nat commands.
For configuration information, refer to “Policy NAT” or “Enabling Server Access with Static NAT” in theCisco PIX Firewall and VPN Configuration Guide.For a complete description of the command syntax, refto theCisco PIX Firewall Command Reference.
Ability to Configure TFTP Fixup
Ability to configure TFTP fixup inspects the TFTP protocol and dynamically creates connection axlate, if necessary, to permit file transfer between a TFTP client and server. Specifically, the fixupinspects TFTP read request (RRQ), write request (WRQ), and error notification (ERROR).
Note TFTP Fixup is enabled by default. TFTP Fixup must be enabled if static PAT is used to redirect Ttraffics.
For more information on this feature, refer to “TFTP” in the Cisco PIX Firewall and VPN ConfigurationGuide.For a complete description of the command syntax for this new command, refer to theCisco PIXFirewall Command Reference.
DNS Fixup
The[no] fixup protocol dns [maximum-length <512-65535>]command can be used to enable/disablthe DNS fixup.
Based on this maximum-length configured by the user, the DNS fixup checks to see if the DNS plength is within this limit. Every UDP DNS packet (request/response) undergoes the above check
Note The PIX Firewall drops DNS packets sent to UDP port 53 that are larger than the configured maximlength. The default value is 512 bytes.
This feature is added to thefixup protocol command in the PIX Firewall Version 6.3(2) software. Foconfiguration information, refer to “DNS” in theCisco PIX Firewall and VPN Configuration Guide.For acomplete description of the command syntax for this new command, refer to theCisco PIX FirewallCommand Reference.
8New Features in Release 6.3(2)
OL-6317-01
New and Changed Information
d inets is
enger
refer
d,
o maprypto
the
dorof 0
Note If DNS fixup is disabled, the Address record (A-record) is not NATed and the DNS ID is not matcherequests and responses. By disabling DNS fixup, the maximum length check on UDP DNS packbypassed and packets greater than the maximum length configured are permitted.
MIB Support
PIX Firewall Version 6.3(2) adds support to the following additional interface objects of MIB-II:
• ifOutQLen
• ifInUnknownProtos
• ifLastChange
For more information, refer to“MIB Support” in theCisco PIX Firewall and VPN Configuration Guide.
Support for Instant Messaging Using SIP
Fixup SIP now supports the Instant Messaging (IM) Chat feature on Windows XP using Windows MessRTC Client version 4.7.0105 only.
This feature support is added to the PIX Firewall Version 6.3(2) software. For more information, to “SIP”in the Cisco PIX Firewall and VPN Configuration Guide.
Enhanced Show Failover Command
This new feature enhances theshow failover command to display the last occurrence of a failover.
For more information on this feature, refer to “Using the Failover Command” in the Cisco PIX Firewalland VPN Configuration Guide.For a complete description of the command syntax for this new commanrefer to theCisco PIX Firewall Command Reference.
Incomplete Crypto Map Enhancements
Every static crypto map must define an access list and an IPSec peer. If either is missing, the cryptis considered incomplete and a warning message is printed. Traffic not matched to a complete cmap is skipped, and the next entry is tried. Failover hello packets are now exempt from the incompletecrypto map check; previously they were dropped. Use theshow confcommand to ensure that every cryptomap is complete.
For more information on this feature, refer to “Crypto Maps” in the Cisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new command, refer toCisco PIX Firewall Command Reference.
Infinite Isakmp Phase 1 Lifetime Support
Infinite isakmp phase 1 lifetime is a feature that allows interoperatability with third party VPN vengateways that do not support rekeying of the IKE phase 1 SA. To enable it, specify a lifetime valueusing the isakmp policy command.
9New Features in Release 6.3(2)
OL-6317-01
New and Changed Information
ically
SA
ces.
Note Using infinite phase 1 SA lifetime is relatively less secure, because the phase 1 keys are not periodrefreshed as they normally would otherwise be. Do not enable this feature unless the PIX mustcommunicate with a third party VPN gateway device that cannot be configured with a finite phase 1lifetime.
For more information on this feature, refer to “Internet Key Exchange (IKE)” in the Cisco PIX Firewalland VPN Configuration Guide.For a complete description of the command syntax for this newcommand, refer to theCisco PIX Firewall Command Reference.
Enhanced Show Version Command
The 'show ver' output now has two interface-related lines, Max Physical interfaces and Max interfaMax interfaces is the total physical and virtual interfaces. Following is an example of the output:
pix-1(config)# sh ver
Cisco PIX Firewall Version 6.3(2)
Compiled on Tue 08-Jul-03 10:56 by dramnath
dramnath-pix-1 up 2 hours 51 mins
Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHzFlash i28F640J5 @ 0x300, 16MBBIOS Flash AT29C257 @ 0xfffd8000, 32KB
0:ethernet0:address is 0003.e300.1552, irq 10
1:ethernet1 :address is 0003.e300.1553, irq 7
2:ethernet2:address is 0090.273a.1611, irq 11Licensed Features:Failover: DisabledVPN-DES: EnabledVPN-3DES-AES: EnabledMaximum Physical Interfaces:3Maximum Interfaces: 5Cut-through Proxy: EnabledGuards: EnabledURL-filtering: EnabledInside Hosts: UnlimitedThroughput: UnlimitedIKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number:5 (0x5)Running Activation Key:0x2b2bcadc 0xbff80f39 0x71c6c743 0xa06ee021Configuration last modified by enable_15 at 20:14:25.505 UTC Thu Jul 24 2003dramnath-pix-1(config)#
For more information on this feature, refer to theCisco PIX Firewall and VPN Configuration Guide.Fora complete description of the command syntax for this new command, refer to theCisco PIX FirewallCommand Reference.
10New Features in Release 6.3(2)
OL-6317-01
New and Changed Information
from
the
the
acescards
Per-user-override
This feature allows users to specify a new keyword per-user-override to theaccess-group command.When this keyword is specified, it allows the permit/deny status from the per-user access-list(downloaded via AAA authentication) that is associated to a user to override the permit/deny statusthe access-group access-list.
For more information on this feature, refer to theCisco PIX Firewall and VPN Configuration Guide.Fora complete description of the command syntax for this new command, refer to theCisco PIX FirewallCommand Reference.
Enhanced Fixup Protocol Command
By default, thefixup protocol ils command is disabled. You can use thefixup protocol command toenable the ILS fixup and, optionally, change the default port assignment.
For more information on this feature, refer to “ILS and LDAP” in the Cisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new command, refer toCisco PIX Firewall Command Reference.
Enhanced aaa proxy-limit
When the aaa proxy-limit is set to 16, the “aaa proxy-limit 16” line shows up. This feature specifiesnumber of concurrent proxy connections allowed per user, from 1 to 128.The default value is 16.
For a complete description of the command syntax for this new command, refer to theCisco PIX FirewallCommand Reference.
New Features in Release 6.3(1)This section includes the following topics:
• Enterprise-Class Security Enhancements, page 11
• Small Office, Home Office (SOHO) Enhancements, page 15
• Security Fixups (Application Inspection) Enhancements, page 18
• Management Enhancements, page 19
• Serviceability Features, page 22
Enterprise-Class Security Enhancements
Virtual LAN (VLAN)-based virtual interfaces
802.1Q VLAN support comes to the PIX Firewall, providing added flexibility in managing andprovisioning the firewall. This feature enables the decoupling of IP interfaces from physical interf(hence making it possible to configure logical IP interfaces independent of the number of interfaceinstalled), and supplies appropriate handling for IEEE 802.1Q tags.
11New Features in Release 6.3(1)
OL-6317-01
New and Changed Information
r
ds,
arrive
efer to
s andons,S
ode
of
walll AAA
sing
VLAN feature support is added to theinterface command in the PIX Firewall Version 6.3 software. Foconfiguration information, refer to “Configuring PIX Firewall with VLANs”in theCisco PIX Firewalland VPN Configuration Guide.For a complete description of the command syntax for these new commanrefer to theCisco PIX Firewall Command Reference.
Note The PIX 501 and PIX 506/506E do not provide support for VLANs.
OSPF Dynamic Routing
Route propagation and greatly reduced route convergence times are two of the many benefits thatwith Open shortest Path First (OSPF). The PIX Firewall implementation will support intra-area,inter-area and external routes. The distribution of static routes to OSPF processes and routeredistribution between OSPF processes are also included.
To configure OSPF routing on the PIX Firewall, refer to“Configuring OSPF in the PIX Firewall”in theCisco PIX Firewall and VPN Configuration Guide.The following new commands are added to thePIX Firewall Version 6.3 software to support OSPF routing:routing interface, router ospf, route-map,prefix-list, and so on. For a complete description of the command syntax for these new commands, rtheCisco PIX Firewall Command Reference.
Note The PIX 501 does not support OSPF.
Secure HyperText Transfer Protocol (HTTPS) Authentication Proxy
This new feature extends the capabilities of the PIX Firewall to securely authenticate HTTP sessionadds support for HTTPS Authentication Proxy. To configure secure authentication of HTTP sessiuse theaaa authentication secure-http-clientcommand. To configure secure authentication of HTTPsessions, use theaaa authentication include httpsor theaaa authentication include tcp/0command.
In PIX Firewall software prior to 6.3, configurations that include theaaa authentication include tcp/0command will inherit the HTTPS Authentication Proxy feature, which is enabled by default with a cupgrade to Version 6.3 or later.
Refer to Chapter 3, “Controlling Network Access and Use,” in the “Enabling Secure AuthenticationWeb Clients” section of theCisco PIX Firewall and VPN Configuration Guide.
For a complete description of the command syntax for these new commands, refer to theCisco PIXFirewall Command Reference.
Local User Authentication Database for Network and VPN Access
This feature allows cut-through and VPN (using xauth) traffic to be authenticated using the PIX Firelocal username database (as an alternative in addition to the existing authenticating via an externaserver).
The server tag variable now accepts the value LOCAL to support cut-through proxy authentication uLocal Database. For example:
aaa authentication include http inside0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
crypto map outside_map client authentication LOCAL
12Enterprise-Class Security Enhancements
OL-6317-01
New and Changed Information
r
x
new
ll
nd,
das an
AT),
the
tsideHCPCP
For more information on this feature, refer to “User Authentication Using the LOCAL Database”in theCisco PIX Firewall and VPN Configuration Guide.For a complete description of the command syntax fothis new command, refer to theCisco PIX Firewall Command Reference.
HTTPS and FTP Web Request Filtering via Enhanced Websense Integration
This feature extends the existing Websense-based URL filtering to HTTPS and FTP.
Thefilter ftp andfilter https commands were added to thefilter command in the PIX Firewall Version6.3 software. For information on configuring this command, refer to “Filtering HTTPS and FTP sites”in theCisco PIX Firewall and VPN Configuration Guide.For a complete description of the command syntafor this new command, refer to theCisco PIX Firewall Command Reference.
Advanced Encryption Standard (AES)
This feature adds support for securing site-to-site and remote access VPN connections with the international encryption standard. It also provides software-based AES support on all supportedPIX Firewall models and hardware-accelerated AES via the new VAC+ card on select PIX FirewaSecurity Appliance models.
Theaes | aes-192| aes-256option is added to theisakmp policy encryption command in PIX FirewallVersion 6.3 software. To configure this command, refer“Configuring IKE” in theCisco PIX Firewalland VPN Configuration Guide.For a complete description of the command syntax for this new commarefer to theCisco PIX Firewall Command Reference.
Support for VPN Accelerator Card+ (VAC+)
PIX Firewall Version 6.3 adds support for the VAC+. VAC+ provides high-speed tunneling andencryption services for Virtual Private Network (VPN) remote access, and site-to-site intranet anextranet applications. The VAC+ is supported on any chassis that runs the Version 6.3 software, happropriate license to run VPN software, and has at least one PCI slot available.
For more information on theshow crypto interface [counters] command, and a complete description ofthe command syntax for this new command, refer to theCisco PIX Firewall Command Reference.
VPN NAT Traversal
This feature extends support for site-to-site and remote access IPSec-based VPNs to networkenvironments that implement Network Address Translation (NAT) or Port Address Translation (Psuch as airports, hotels, wireless hot spots, and broadband environments
This feature is added to theisakmp nat-traversal command in PIX Firewall Version 6.3 software. Toconfigure this command, refer to“Using NAT Traversal”in theCisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new command, refer toCisco PIX Firewall Command Reference.
DHCP Server Support on Multiple Interfaces
PIX Firewall Version 6.3 allows as many integrated Dynamic Host Configuration Protocol (DHCP) serversto be configured as desired, and on any interface. DHCP client can be configured only on the ouinterface, and DHCP relay agent can be configured on any interface. However, DHCP server and Drelay agent cannot be configured concurrently on the same PIX Firewall, but DHCP client and DHrelay agent can be configured concurrently.
13Enterprise-Class Security Enhancements
OL-6317-01
New and Changed Information
on
y.
moteicate
T
r MAC
The [no] dhcpd addressip1[-ip2] if_namefeature now allows dhcp servers to be configured as desired any interface in the PIXFirewall Version 6.3 software. For acomplete description of the command syntaxfor this new command, refer to theCisco PIX Firewall Command Reference.
Diffie-Hellman (DH) Group 5 Support
PIX Firewall Version 6.3 adds support for 1536-bit MODP Group that has been given the group 5identifier.
Use theisakmp policy group command to specify the Diffie-Hellman group to be used in an IKE policTo configure this command, refer to “Configuring IKE”in theCisco PIX Firewall and VPN ConfigurationGuide.For a complete description of the command syntax for this new command, refer to theCisco PIXFirewall Command Reference.
Verify Certificate Distinguished Name
This feature enables PIX Firewalls acting as either a VPN peer, site-to-site, or as an Easy VPN Re(VPN Hardware Client) to validate that the Easy VPN Server or the other VPN Peer provides a certifthat matches an administrator specified criteria.
This feature was added to theca verifycertdn command in PIX Firewall Version 6.3 software. Toconfigure this command, refer to“Client Verification of the Easy VPN Server Certificate”in theCisco PIXFirewall and VPN Configuration Guide.For a complete description of the command syntax for this newcommand, refer to theCisco PIX Firewall Command Reference.
Cryptographic Engine Known Answer Test (KAT)
The function of KAT is to test the instantiation of the PIX Firewall crypto engine. The test will beperformed every time during the PIX Firewall boot up before the configuration is read from Flashmemory. KAT will be run for valid crypto algorithms for the current license on the PIX Firewall. KAcan also be run from the command line in privileged mode, using theshow crypto engine verifycommand.
Theshow crypto engine verify command was added to thePIX Firewall Version 6.3 software. For acomplete description of the command syntax for this new command, refer to theCisco PIX FirewallCommand Reference.
Media Access Control (MAC) Based Authentication
This feature allows hosts to be exempted from a broader authentication requirement, based on theiaddresses. This is essential for devices like printers and IP phones located inside a firewall.
Themac-list, aaa mac-exempt match <mac-list-id> and vpnclient mac-exempt <mac-add_1><mac_mask_1> [<mac_addr_2> <mac_mask_2>commands are new commands. To configure thiscommand on the PIX Firewall, refer to“Using MAC-Based AAA Exemption”in theCisco PIX Firewalland VPN Configuration Guide.For a complete description of the command syntax for this newcommand, refer to theCisco PIX Firewall Command Reference.
14Enterprise-Class Security Enhancements
OL-6317-01
New and Changed Information
any
asy
r
the
the
g up
theents.
oesitedn made
evice.
ng. Itilized
fer
Small Office, Home Office (SOHO) Enhancements
DHCP Relay
Acting as a DHCP relay agent, the PIX Firewall can assist in dynamic configuration of IP hosts onof its interfaces. It receives requests from hosts on a given interface and forwards them to auser-configured DHCP server on another interface.This can work in conjunction with sit- to-site or EVPN, enabling businesses to centrally manage their IP address.
To support this feature, thedhcprelay command was added to PIX Firewall Version 6.3 software. Fomore information on thedhcprelay command, refer to “DHCP Relay”in theCisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new command, refer toCisco PIX Firewall Command Reference.
PAT for ESP
PIX Firewall Version 6.3 provides the ability to PAT IP protocol 50 to support single IPSec useroutbound access.
To support this feature, thefixup protocol esp-ike command was added to PIX Firewall Version 6.3software. For more information on this command, refer to “IPSec”in theCisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new command, refer toCisco PIX Firewall Command Reference.
Increased Firewall Performance on the PIX 501 and PIX 506E Security Appliances
PIX Firewall Version 6.3 unleashes new performance levels on the PIX 501 and PIX 506E, deliverinto six times more performance than previous software releases.
Increased Number of IPSec VPN Peers Supported on the PIX 501 Security Appliance
PIX Firewall Version 6.3increases number of site-to-site and remote access VPN peers supported onPIX 501 from 5 to 10, enabling greater VPN scalability in small office, home office (SOHO) environm
Unlimited User License for the PIX 501 Security Appliance
With PIX 6.3, you can purchase or upgrade to an “Unlimited User License” for the PIX 501 which dnot limit the hosts on the inside of the network that leverage applicable PIX resources. The UnlimUser License also increases the DCHP Server pool size to 256 addresses. Updates have also beeto ensure that the default factory configuration considers the PIX 501 User license installed in the d
Easy VPN Server Load Balancing Support
The PIX Firewall VPN hardware client can participate in cluster-based concentrator load balancisupports VPN 3000 Series Concentrator load balancing with automatic redirection to the least utconcentrator.
For more information on this command, refer to “Enabling Redundancy” in theCisco PIX Firewall andVPN Configuration Guide.For a complete description of the command syntax for this new command, reto theCisco PIX Firewall Command Reference.
15Small Office, Home Office (SOHO) Enhancements
OL-6317-01
New and Changed Information
refer
e inplitrough
s it inling,
of the
ote
the
the
identifyroved
fer
Dynamic Downloading of Backup Easy VPN Server Information
Support for downloading a list of backup concentrators defined on the head-end.
Thevpngroup group_namebackup-server {{ ip1 [ip2... ip10]} | clear-client-cfg}command is a newcommand added to the PIX Firewall Version 6.3 software. For more information on this command,to “Enabling Redundancy”in theCisco PIX Firewall and VPN Configuration Guide.For a completedescription of the command syntax for this new command, refer to theCisco PIX Firewall CommandReference.
Easy VPN Internet Access Policy
PIX Firewall Version 6.3 changes the behavior of a PIX Firewall used as an Easy VPN Remote devicregard to Internet access policy for users on the protected network. The new behavior occurs when stunneling is enabled on the Easy VPN Server. Split tunneling is a feature that allows users connected ththe PIX Firewall to access the Internet in a clear text session, without using a VPN tunnel.
The PIX Firewall used as an Easy VPN Remote device downloads the split tunneling policy and saveits local Flash memory when it first connects to the Easy VPN Server. If the policy enables split tunneusers connected to the network protected by the PIX Firewall can connect to the Internet regardless status of the VPN tunnel to the Easy VPN Server.
For information about configuring the split tunneling policy on a PIX Firewall used as an Easy VPN RemServer, refer to Chapter 8, “Managing VPN Remote Access,” in thePIX Firewall and VPN ConfigurationGuide.
Custom Backup Concentrator Timeout
This feature constitutes a configurable time out on the PIX Firewall connection attempts to a VPNheadend, thereby controlling the latency involved in rolling over to the next backup concentrator onlist.
This feature is added to thevpngroup command in PIX Firewall Version 6.3 software. For moreinformation on this command, refer to “Enabling Redundancy”in theCisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new command, refer toCisco PIX Firewall Command Reference.
Easy VPN X.509 Certificate Support
X.509 certificates are used to access secure network systems. Users obtain certificates so they can themselves, present their access credentials, and obtain a secure network connection with other appsecure users or systems.
For more information on this command, refer to “Using X.509 Certificates”in theCisco PIX Firewall andVPN Configuration Guide.For a complete description of the command syntax for this new command, reto theCisco PIX Firewall Command Reference.
16Small Office, Home Office (SOHO) Enhancements
OL-6317-01
New and Changed Information
the
Norted.
ticate
her the
ture.
is
Flexible Easy VPN Management Solutions
In PIX Firewall Version 6.3, managing the PIX Firewall using the outside interface will not requiretraffic to flow over the VPN tunnel. You will have the flexibility to require all NMS traffic to flow overthe tunnel or fine tune this policy.
This feature was added to thevpnclient managementcommand in the PIX Firewall Version 6.3software. For configuration information, refer to “Controlling Remote Administration”in theCisco PIXFirewall and VPN Configuration Guide.For a complete description of the command syntax for this newcommand, refer to theCisco PIX Firewall Command Reference.
User-Level Authentication
Support for individually authenticating clients (IP address based) on the inside network of the VPhardware client. Both static and One Time Password (OTP) authentication mechanisms are suppThis is done through a web-based interface.
This new feature was added to thevpngroup command in PIX Firewall Version 6.3 software. For moreinformation on this command, refer to “Using Authentication and Authorization”in theCisco PIXFirewall and VPN Configuration Guide.For a complete description of the command syntax for this newcommand, refer to theCisco PIX Firewall Command Reference.
Secure Unit Authentication
This feature provides the ability to use dynamically generated authentication credentials to authenthe Easy VPN Remote (VPN Hardware Client) device.
The secure-unit-authenticationfeature is added to thevpngroup command in the PIX Firewall Version6.3 software. For configuration information, refer to “Using Secure Unit Authentication”in theCisco PIX Firewall and VPN Configuration Guide.For a complete description of the command syntax forthese new commands, refer to theCisco PIX Firewall Command Reference.
Easy VPN Web Interface for Manual Tunnel Control User Authentication and Tunnel Status
With the introduction of the User-Level Authentication and Secure Unit Authentication, features tPIX Firewall delivers the ability to enter the credentials, connect/dis-connect the tunnel and monitoconnection using new web pages served to users when attempting access to the VPN tunnel orunprotected networks through the PIX Firewall. This is only applicable to the Easy VPN Remote fea
For configuration information, refer to “Connecting to PIX Firewall Over a VPN Tunnel”in theCisco PIX Firewall and VPN Configuration Guide.For a complete description of the command syntax for thnew feature, refer to theCisco PIX Firewall Command Reference.
17Small Office, Home Office (SOHO) Enhancements
OL-6317-01
New and Changed Information
4
the
is
fer
secure
ewallrePN.
Security Fixups (Application Inspection) Enhancements
PPTP Fixup
This feature lets point-to-Point Tunneling Protocol (PPTP) traffic traverse the PIX Firewall whenconfigured for PAT, performing stateful PPTP packet inspection in the process.
To configure PPTP Fixup on the PIX Firewall, refer to “PPTP Configuration” in the Cisco PIX Firewalland VPN Configuration Guide. Thefixup protocol pptp 1723command configures PPTP Fixup. For acomplete description of the command syntax for this new command, refer to theCisco PIX FirewallCommand Reference.
H.323 Version 3 and 4 Support
With PIX Firewall Version 6.3, the PIX Firewall will support NAT and PAT for H.323 versions 3 andmessages, and in particular, the H.323 v3 feature Multiple Calls on One Call Signaling Channel.
This feature is added to thefixup protocol h.323 command in the PIX Firewall Version 6.3 software.For more information on this command, refer to “H.323” in theCisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new command, refer toCisco PIX Firewall Command Reference.
CTIQBE Fixup
Known also as TAPI/JTAPI Fixup, this feature incorporates aComputer Telephony Interface Quick BufferEncoding (CTIQBE) protocol inspection module that supports NAT, PAT, and bi-directional NAT. Thenables Cisco IP SoftPhone & other Cisco TAPI/JTAPI applications to work and communicatesuccessfully withCisco CallManager for call setup and voice traffic across the PIX Firewall.
This feature is added to thefixup protocol ctiqbe 2748command in the PIX Firewall Version 6.3software. For more information on this command, refer to “Voice over IP”in theCisco PIX Firewall andVPN Configuration Guide.For a complete description of the command syntax for this new command, reto theCisco PIX Firewall Command Reference.
MGCP Fixup
PIX Firewall Version 6.3 adds support forMedia Gateway Control Protocol (MGCP) 1.0, enablingmessages between Call Agents and VoIP media gateways to pass through the PIX Firewall in a manner.
To configure thefixup protocol mgcpcommand,refer to “Configuration for Multiple Call Agents andGateways”in theCisco PIX Firewall and VPN Configuration Guide.The following new commands are addedto the PIX Firewall Version 6.3 software to supprotthis new command:debug mgcp, fixup protocol mgcp,and so on. For a complete description of the command syntax for this new command, refer to theCisco PIXFirewall Command Reference.
PAT for Skinny
This feature allows Cisco IP Phones to communicate with Cisco CallManager across the PIX Firwhen it is configured with PAT. This is particularly important in a remote access environment wheSkinny IP phones behind a PIX Firewall talk to the CallManager at the corporate site through a V
18Security Fixups (Application Inspection) Enhancements
OL-6317-01
New and Changed Information
the
gh the has
.
the
ess
w
ion.itions
This feature is added to thefixup protocol skinny command in the PIX Firewall Version 6.3 software.For more information on this command, refer to “SCCP”in theCisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new command, refer toCisco PIX Firewall Command Reference.
Configurable SIP UDP Fixup
This provides a CLI-enabled solution for non-Session Information Protocol (SIP) packets to pass throuPIX Firewall instead of being dropped when they use a SIP UDP port (note that SIP UDP Fixup itselfbeen available since PIX Firewall Version 5.2).
This feature is added to thefixup protocol sip udp command in the PIX Firewall Version 6.3 softwareFor more information on this command, refer to “SIP” in theCisco PIX Firewall and VPN ConfigurationGuide.For a complete description of the command syntax for this new command, refer to theCisco PIXFirewall Command Reference.
Fixup Protocol ICMP Error
PIX Firewall Version 6.3 introduces the ability to NAT ICMP error messages.
The icmp error feature was added to the fixup protocol command in the PIX Firewall Version 6.3software. For information on configuring this feature, refer to“ICMP” in theCisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new command, refer toCisco PIX Firewall Command Reference.
Management Enhancements
ACL EditingThe Access Control List (ACL) editing feature provides users flexibility to insert or delete any acclist element in an access list. The access list, with line numbers, will be shown with theshow access-list<access-list-id>command and not with theshow running-config command or write terminalcommand.
The line-numfeature was added to theaccess-listcommand in the PIX Firewall Version 6.3 software.For information on configuring this feature, refer to “Enabling Inbound Connections” in the Cisco PIXFirewall and VPN Configuration Guide.For a complete description of the command syntax for this necommand, refer to theCisco PIX Firewall Command Reference.
Syslog by ACL Entry
This feature allows users to configure a specific Access Control List (ACL) entry with a logging optWhen such an option is configured, statistics for each flow that matches the permit or deny condof the ACL entry are logged.
To configure the log option in theaccess-listcommand on the PIX Firewall, refer to “Logging Access ControlList Activity” in the Cisco PIX Firewall and VPN Configuration Guide.For a complete description of thecommand syntax for these new commands, refer to theCisco PIX Firewall Command Reference.
19Management Enhancements
OL-6317-01
New and Changed Information
ing
re
nd,
ded
EM
d and
heir
the
Assignable Syslog Levels by Message
PIX Firewall Version 6.3 includes the ability to reassign the level of any syslog, allowing easy groupof syslogs of interest.
The leveloption in thelogging command is added to the PIX Firewall Version 6.3 software. For moinformation on this command, refer to “Enabling Logging to Syslog Servers”in theCisco PIX Firewalland VPN Configuration Guide.For a complete description of the command syntax for this new commarefer to theCisco PIX Firewall Command Reference.
Custom Logging Identifier
Allows a custom firewall identifier to be selected, such as an interface IP address, that will be incluin all syslog messages to improve the centralized reporting of firewall events.
This new feature is added to thelogging command. For configuration information, refer to “EnablingLogging to Syslog Servers”in theCisco PIX Firewall and VPN Configuration Guide.For a completedescription of the command syntax for these new commands, refer to theCisco PIX Firewall CommandReference.
Cisco Logging Format
This feature will help users to log messages in Cisco EMBLEM format to a syslog server. The EMBLformat is available for both messages with and without timestamp.
This new feature is added to thelogging command. For configuration information, refer to “EnablingLogging to Syslog Servers”in theCisco PIX Firewall and VPN Configuration Guide.For a completedescription of the command syntax for these new commands, refer to theCisco PIX Firewall CommandReference.
Comments/Remarks in Access Control Lists (ACLs)
This feature allows users to include comments in access lists to make the ACL easier to understanscan.
To configure theaccess-listid [line line-num] remark textcommand, in theaccess-listcommand, refer to“Enabling Inbound Connections”in theCisco PIX Firewall and VPN Configuration Guide.For a completedescription of the command syntax for this new command, refer to theCisco PIX Firewall CommandReference.
Interface Name as Address in ACLs
Users running the DHCP client on the PIX Firewall outside interface will no longer have to adjust taccess lists every time the outside DHCP address is changed by their ISP.
The interface if_namecommand was added to the PIXFirewall Version 6.3 software. Forinformation onconfiguring this feature, refer to “Enabling Inbound Connections” in theCisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new command, refer toCisco PIX Firewall Command Reference.
20Management Enhancements
OL-6317-01
New and Changed Information
ill be
is
fter a
sidellat
re.
Custom Administrative Access Banner Messages
Users will be able to configure a message-of-the-day (motd), a login, and an exec banner that wpresented to users who access the PIX Firewall via the console, SSH, and Telnet.
To configure thebanner command, refer to“Configuring PIX Firewall Banners”in theCisco PIX Firewall and VPN Configuration Guide.For a complete description of the command syntax for thnew command, refer to theCisco PIX Firewall Command Reference.
Console Connection Inactivity Timeout
Protects console from unauthorized administrative access by automatically logging out sessions aconfigurable period of inactivity
Theconsolecommand is a new command added to the PIX Firewall Version 6.3 software. For acompletedescription of the command syntax for this new command, refer to theCisco PIX Firewall CommandReference.
show Command Output Filter
This feature provides the ability to filter or search through the full output ofshow commands.
For information on the showcommand_keywords [| { include | exclude | begin | grep [-v]} regexp]command, refer to Chapter 1, “Getting Started”in theCisco PIX Firewall and VPN Configuration Guide.For a complete description of the command syntax for this new command, refer to theCisco PIX FirewallCommand Reference.
Remote Management Enhancements
This feature enables administrators to remotely manage firewalls over a VPN tunnel using the ininterface IP address of the remote PIX Firewall. In fact, administrators can define any PIX Firewainterface for management-access. This feature supports PDM, SSH, Telnet, SNMP, and so on, threquires a dynamic IP address. This feature significantly benefits broadband environments.
Themanagement-accesscommand is a new command added to the PIX Firewall Version 6.3 softwaFor a complete description of the command syntax for this new command, refer to theCisco PIX FirewallCommand Reference.
Enhanced show version Command
The output of the show version command is enhanced to display additional information.
For a complete description of the command syntax for this new command, refer to theCisco PIX FirewallCommand Reference.
21Management Enhancements
OL-6317-01
New and Changed Information
lowedlus
er to
rieved
tion.
d,
ardsIIare.
Increase Length of the PIX Firewall Host Name
Change the maximum allowed length of the host name to 63 characters. Change the maximum allength of the domain name from 64 to 63.This limits the maximum fully qualified domain name (pterminating 0) to 127 bytes.
This new feature is added to thehostnamecommand in the PIX Firewall Version 6.3 software. Forconfiguration information, refer to “Using IKE with Pre-Shared Keys” in the Cisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for these new commands, reftheCisco PIX Firewall Command Reference.
Serviceability Features
Stack Trace in Flash Memory
This feature enables the stack trace to be stored in non-volatile Flash Memory, so that it can be retat a later time for debug/troubleshooting purposes.
Thecrashinfo command is a new command added to the PIX Firewall Version 6.3 software. For moreinformation on this new command, refer to “Saving Crash information to Flash Memory” in theCisco PIXFirewall and VPN Configuration Guide.For a complete description of the command syntax for this newcommand, refer to theCisco PIX Firewall Command Reference.
Enhanced show tech Command
This feature enhances the currentshow techcommand output to include additional diagnosticinformation.
For a complete description of the command syntax for this new command, refer to theCisco PIX FirewallCommand Reference.
Enhanced debug Command and Support
These commands turn off all active debugs at once, and restore the PIX Firewall to normal opera
The nodebug all, undebug all, debug arp, crypto vpnclient, debug aaa[authentication |authorization| accounting | internal] commands were added to thedebug command in the PIXFirewall Version 6.3 software. For a complete description of the command syntax for this new commanrefer to theCisco PIX Firewall Command Reference.
Modification to GE Hardware Speed Settings
Modification to GE Hardware Speed Settings - Half duplex option removed. The Gigabit Ethernet ccan be configured by hardware in TBI or GMII mode. TBI mode does not support half duplex. GMmode supports both half duplex and full duplex. All the i8255x controllers used in the PIX Firewallsconfigured for TBI and thus cannot support half-duplex mode,hence the half-duplex setting is removed
For more information, refer to “Identifying the Interface Type” in theCisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this command, refer to theCiscoPIX Firewall Command Reference.
22Serviceability Features
OL-6317-01
Important Notes
the
ure
he
ions
eatlyl
ns
.
re
.
Enhanced arp Command
New features were added to thearp command in the PIX Firewall Version 6.3 software. Formoreinformation on this new command, refer to “Setting Default Routes” in theCisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new command, refer toCisco PIX Firewall Command Reference.
Enhanced capture Command
Users can now specify thecapture command to store the packet capture in a circular buffer. The captwill continue writing packets to the buffer until it is stopped by the administrator.
For configuration information, refer to “Capturing Packets” in the Cisco PIX Firewall and VPNConfiguration Guide.For a complete description of the command syntax for this new feature, refer to tCisco PIX Firewall Command Reference.
Important Notes
Important Notes in Release 6.3(3)
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The PIX Outbound/Conduit Conversion tool assists in converting configurations with outbound orconduit commands to similar configurations using Access Control Lists (ACLs). ACL basedconfigurations provide uniformity and leverage the powerful ACL feature set. ACL based configuratprovide the following benefits:
• Access-list Element (ACE) Insertion capability - System configuration and management is grsimplified by the ACE insertion capability that allows users to add, delete or modify individuaACEs.
• ACL supports remarks - ACL entries can be identified easily within large system configuratiousing remarks.
• Turbo ACLs - Turbo ACLs provide enhanced performance and scalability for ACL compilation
• Object-grouping support - Object-groups are not supported by the outbound command
• ACLs are commonly employed by most PIX features to define traffic designated for that featu(IPsec, nat 0, AAA, etc.)
• All the new developments in PIX are geared towards ACL (time based andoutbound ACL) basedconfigurations.
Important Notes in Release 6.3(2)Major releases beyond PIX Firewall Version 6.3 will not support the conduit and outbound commands
23Important Notes
OL-6317-01
Important Notes
ting
fore in
ows:
bpsn only
6.3,
t and
t they15E,
s them
Important Notes in Release 6.3This section describes important notes for Version 6.3.
ACL Source Address Change When an Alias is Configured
When thealias command is used for destination address translation, an inbound message originafrom theforeign_ipsource address is translated to thednat_ipaddress. If you configure an inbound ACLwith an address defined by thealias command, you must use theforeign_ipaddress as the ACL sourceaddress instead of thednat_ipaddress, as was used in Release 6.2. The ACL check is now done bethe translation occurs, which is consistent with the way the firewall treats other NATed addressesACLs.
Interface Settings on the PIX 501 and PIX 506E
With the PIX Firewall Version 6.3, the settings for the following interfaces have been updated as foll
• PIX 501 outside interface (port 0) - 10/100 Mbps half or full duplex
• PIX 501 inside interface - 10/100 Mbps half or full duplex
• PIX 506E inside interface - 10/100 Mbps half or full duplex
• PIX 506E outside interface - 10/100 Mbps half or full duplex
Note When upgrading the PIX 501 to Version 6.3, the inside interface is automatically upgraded to 100 Mfull duplex. During the upgrade process the system displays the message “ethernet1 interface cabe set to 100full.”
Upgrading the PIX 506 and the PIX 515
When upgrading a classic PIX 506 or PIX 515 (the non “E” versions) to PIX Firewall OS Version the following message(s) might appear when rebooting the PIX Firewall for the first time after theupgrade:
ethernet0 was not idle during boot.
ethernet1 was not idle during boot.
These messages (possibly one per interface) will be followed by a reboot. This is a one-time evenis a normal part of the upgrade on these platforms.
Easy VPN Remote and Easy VPN Server
The PIX 501 and PIX 506/506E are both Easy VPN Remote and Easy VPN Server devices. ThePIX 515/515E, PIX 525, and PIX 535 act as Easy VPN Servers only.
The PIX 501 and PIX 506/506E can act as Easy VPN Remote devices or Easy VPN Servers so thacan be used either as a client device or VPN headend in a remote office installation. The PIX 515/5PIX 525, and PIX 535 act as Easy VPN Servers only because the capacity of these devices makeappropriate VPN headends for higher-traffic environments.
24Important Notes in Release 6.3
OL-6317-01
Important Notes
35:
re be
eded, the
that.
stause
mustinsidemust
e, nor
PIX 535 Interfaces
These practices must be followed to achieve the best possible system performance on the PIX 5
• PIX-1GE-66 interface cards should be installed first in the 64-bit/66 MHz buses before they ainstalled in the 32-bit/33 MHz bus. If more than four PIX-1GE-66 cards are needed, they mayinstalled in the 32-bit/33 MHz bus but with limited potential throughput.
• PIX-VACPLUS should be installed in a 64-bit/66 MHz bus to avoid degraded throughput.
• PIX-1GE and PIX-1FE cards should be installed first in the 32-bit/33 MHz bus before they arinstalled in the 64-bit/66 MHz buses. If more than five PIX-1GE and/or PIX-1FE cards are neethey may be installed in a 64-bit/66 MHz bus but doing so will lower that bus speed and limitpotential throughput of any PIX-1GE-66 card installed in that bus.
The PIX-1GE Gigabit Ethernet adaptor is supported in the PIX 535; however, its use is stronglydiscouraged because maximum system performance with the PIX-1GE card is much slower thanwith the PIX-1GE-66 card. The software displays a warning at boot time if a PIX-1GE is detected
Table 2 summarizes the performance considerations of the different interface card combinations.
Caution The PIX-4FE and PIX-VPN-ACCEL cards can only be installed in the 32-bit/33 MHz bus and munever be installed in a 64-bit/66 MHz bus. Installation of these cards in a 64-bit/66 MHz bus may cthe system to hang at boot time.
Caution If Stateful Failover is enabled, the interface card and bus used for the Stateful Failover LAN portbe equal to or faster than the fastest card used for the network interface ports. For example, if yourand outside interfaces are PIX-1GE-66 cards installed in bus 0, then your Stateful Failover interfacebe a PIX-1GE-66 card installed in bus 1. A PIX-1GE or PIX-1FE card cannot be used in this cascan a PIX-1GE-66 card be installed in bus 2 or share bus 1 with a slower card.
Table 2 Gigabit Ethernet Interface Card Combinations
Interface Card CombinationInstalled In Interface SlotNumbers Potential Throughput
Two to four PIX-1GE-66 0 through 3 Best
PIX-1GE-66 combined withPIX-1GE or just PIX-1GE cards
0 through 3 Degraded
Any PIX-1GE-66 or PIX-1GE 4 through 8 Severely degraded
25Important Notes in Release 6.3
OL-6317-01
Caveats
tion as
of. The
rd
IX
ap
CaveatsThe following sections describe the caveats for the 6.3 release.
For your convenience in locating caveats in Cisco’s Bug Toolkit, the caveat titles listed in this secare drawn directly from the Bug Toolkit database. These caveat titles are not intended to be readcomplete sentences because the title field length is limited. In the caveat titles, some truncation wording or punctuation may be necessary to provide the most complete and concise descriptiononly modifications made to these titles are as follows:
• Commands are inboldface type.
• Product names and acronyms may be standardized.
• Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/kobayashi/support/tac/tools_trouble.shtml
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 6.3(4)
Table 3 Open Caveats
ID Number
Software Release 6.3(4)
Corrected Caveat Title
CSCed10049 No Traceback initpix/intf5 in PIX 515E with 4port FE and Kodiak ca
CSCef16218 No PIX alters seq num on ftp control channel with outside nat.
CSCdw04354 No Cisco PIX FW needs to better handle incomplete AAAauthentication
CSCea40885 No PIX - Capture sometimes records wrong MAC addr for PIXsinterface
CSCea43211 No Potential failure of TCP connection recovery scenario through P
CSCeb32807 No PIX stops receiving high rate traffic at VLAN interface
CSCed11522 No PIX SMTP fixup and banner hiding issue.
CSCef05997 No PIX 515 traceback in isakmp_time_keeper.
CSCef07029 No PIX traceback in Thread Name: listen/telnet_1.
CSCef10485 No PIX assigns the first time wrong IP address to VPNclient.
CSCef15146 No RIP may put the routes with bigger metric into the routing table
CSCef17488 No PIX SIP fixup does not map RTP port correctly
CSCef17703 No Memory leak and unexpected invalid SPI with dynamic crypto m
26Caveats
OL-6317-01
Caveats
Resolved Caveats - Release 6.3(4)
CSCef17728, No Telnet negotiation may fail with pix intermittently
CSCef16873, No No Audio During SIP Gateway Call
Table 4 Resolved Caveats
ID Number
Software Release 6.3(4)
Corrected Caveat Title
CSCdy54228 Yes PIX syslog 611103 incorrectly logged when user never
CSCea94045 Yes ID payload contains protocol 17 but port 0
CSCeb29981 Yes Pix FW in failover mode w/banner greater than 512
CSCeb32807 Yes PIX stops receiving high rate traffic at VLAN interface
CSCeb39437 Yes rip inside default v2 broken when management-access inside
CSCeb42088 Yes PIX traceback in https_proxy
CSCeb77142 Yes OSPF not able to handle fragmented packets
CSCeb78874 Yes PIX Standby stuck in reboot loop trying to clear
CSCeb78876 Yes Adverse effects of multiple NTP servers and OSPF
CSCeb81267 Yes RIPv2 mcast update sent out on a no RIP configure
CSCec03849 Yes RIPv2 mcast update sent out on a no RIP configure interface
CSCec04989 Yes SIP PIX sometimes add extra CRLF at the end of SDP body
CSCec09043 Yes SIP PIX does not translate via address in 200 and 401
CSCec12942 Yes H.323 ACF/LCF data not changed with fixup
CSCec13051 Yes PIX might reboot in ci/console thread while doing show cry
CSCec15510 Yes ICMP type 3 code 4 not sent back to inside with IPSEC +
CSCec19113 Yes Non-existing hosts counted towards the license on PIX 501
CSCec20284 Yes PIX crash in thread PIX Garbage Collector in pix_gc
CSCec20686 Yes H323 issue when rtp endpoints are diff to call control
CSCec20807 Yes isakmp_time_keeper crash
CSCec24103 Yes traceback in riprx/1 when enabling rip default inside
CSCec27881 Yes LCP is not dropped after Authenticate-Request retry
CSCec30203 Yes [SIP] PIX drops rtp packets for inside to outside calls
CSCec31274 Yes PIX crash in turboacl_process issuing access-list compiled
CSCec31498 Yes Vulnerability Issues in SSL
CSCec35886 Yes One way voice occur after PIX failover during call
Table 3 Open Caveats (continued)
ID Number
Software Release 6.3(4)
Corrected Caveat Title
27Resolved Caveats - Release 6.3(4)
OL-6317-01
Caveats
CSCec42006 Yes PPPoE can not add default route if OSPF-sourced default
CSCec42449 Yes PPPoE session doesn’t recover from lost PADS packets
CSCec45239 Yes Standby PIX sends incorrect packet during boot sequence
CSCec45748 Yes New DNS conns reset the idle timer of previous DNS conns.
CSCec47609 Yes PIX resets xlate idle counter to 0 even for denied
CSCec50002 Yes PIX may crash after using ca generate rsa key 1024
CSCec54201 Yes DNS port translated when using downloadable access-list
CSCec54641 Yes PPTP tunnels using MPPE and Downloadable ACLs do not work
CSCec55508 Yes PIX send 0.0.0.0 as caller-id for enable authentication
CSCec59013 Yes PIX:CTIQBE not opening outbound pin-holes for RTP
CSCec60851 Yes SIP Fixup does not fix second Contact Field in SDP packet
CSCec61095 Yes NAT-T doesn’t work from MS L2TP over IPSec client /w NAT-T
CSCec61249 Yes Remark in downloadable ACL crashes the PIX
CSCec63528 Yes HTTPS stress testing causes 4 byte block depletion
CSCec63822 Yes Policy NAT does not co-exist with normal nat configuration
CSCec64215 Yes Very large ACLs (>200K) may not compile, have very poor
CSCec64902 Yes VIP:3rd party route with no port not NATd if using PAT
CSCec66432 Yes fixup protocol pptp not aware of change in outside ip
CSCec69869 Yes Remark:PIX does not remove remark entry with line number
CSCec70390 Yes PIX traceback after issuing cl cry cmds during heavy vpn
CSCec72561 Yes sh access-list | grep xxx may cause ping through device to
CSCec72583 Yes PIX - OSPF learned routes not used in routing decision
CSCec72698 Yes RADIUS passwords limited to 16 characters max
CSCec73787 Yes PIX traceback in pix/intf1 thread
CSCec75949 Yes [SIP] PIX drops RTP because of fail to match CSeq of
CSCec78327 Yes primary PIX crashes during config update (solsoft)
CSCec79790 Yes IUA with EZVPN fails - Server PIX sends hostname instead
CSCec82685 Yes PIX - VPN client fails to connect to PIX when using NAT-T
CSCec86227 Yes PIX 520 endless reboot running 6.3.3-109 fover_rep thread
CSCec86309 Yes AES with PPPoE causes invalid fragmentation
CSCed00488 Yes SIP:UDP checksum not recalc after modifying payload
CSCed00915 Yes SIP:media port not translated in in-out-in scenario
CSCed02812 Yes Identity certificate lost after reload of PIX
CSCed02843 Yes [SIP] PIX does not translate local ip in o header of sdp
CSCed03100 Yes SIP:m= port not translated when no session c= in SDP of
Table 4 Resolved Caveats (continued)
ID Number
Software Release 6.3(4)
Corrected Caveat Title
28Resolved Caveats - Release 6.3(4)
OL-6317-01
Caveats
CSCed05397 Yes Traceback in isakmp_receiver thread under load, related to
CSCed07957 Yes Radius Timers were not used if uauth is denied by
CSCed09193 Yes PIX:TACACS+ accounting sending START before 3-way
CSCed11976 Yes [SIP] PIX drops media stream in case of using some kind of
CSCed12098 Yes pix smtp fixup doesn’t handle multiline banners correctly
CSCed12881 Yes sysName does not return FQDN. Violates RFC spec
CSCed12948 Yes IPsec SA is created when mismatch subnet mask
CSCed16070 Yes PIX Split DNS EZVPN - previous NAT is not undone after
CSCed16868 Yes PIX traceback in small_frag_append with Websense filtering
CSCed17044 Yes Large number of NTP packets are sent after failover
CSCed17106 Yes UAUTH:https_proxy thread can get stuck in rare
CSCed18857 Yes PPPoE:Traceback with sh vpdn pppint with no PPPoE
CSCed24935 Yes PIX reloads and crashes in fixup_pptp
CSCed25749 Yes VPNC:Public-Public SA should not be persistent with NAT-T
CSCed25752 Yes WEBSNS:Incorrect bit field meaning
CSCed26041 Yes SIP:RTP stream drop when SIP Authentication is enable
CSCed28592 Yes Linkdown trap does not contain all the mandatory variables
CSCed31165 Yes The PIX might drop the RELEASE_COMPLETE message
CSCed31179 Yes Websense LOOKUP_REQUEST corrupted w/ long URL and HTTP
CSCed31689 Yes TCP checks should verify RST seq number for conns to the
CSCed37136 Yes OSPF E2 Route Selection in PIX OS Is Different Then Cisco
CSCed38053 Yes ARP cache on neighbors may get corrupt during partial
CSCed38963 Yes PIX Config not being written to Secondary PIX flash memory
CSCed41138 Yes PIX crashes in TACACS+ process
CSCed42307 Yes PIX - TFTP does not work with names longer than 19
CSCed42539 Yes PIX reload in IPSec timer handler with NAT-T disconnect
CSCed43501 Yes PIX - PPTP:should continue negotiating MPPE
CSCed49919 Yes PIX DPD window too small
CSCed50456 Yes Standby PIX cannot update an arp table
CSCed51833 Yes H.323 Segmented packet inhibits further processing by fixup
CSCed52666 Yes fail active on a standby PIX does not produce the
CSCed59187 Yes PIX drops OSPF Type 10 LSA (Opaque) used for Traffic
CSCed59572 Yes High CPU utilization with large static list
CSCed69284 Yes Console connection left at ----more--- prompt causes
CSCed70062 Yes TCP checks should verify SYN seq number for conns to the
Table 4 Resolved Caveats (continued)
ID Number
Software Release 6.3(4)
Corrected Caveat Title
29Resolved Caveats - Release 6.3(4)
OL-6317-01
Caveats
CSCed73661 Yes Intermittent DNS doctoring with static
CSCed73761 Yes SIP:PIX set wrong timer for RTCP port via show xlate
CSCed78642 Yes DNS doctoring broken with network static
CSCed79836 Yes PIX - SSH authenticated users appear in the uauth table
CSCed83464 Yes RIP routes disappear from route table following RIPv2
CSCed84886 Yes Steady UDP streams develop 7ms hole followed by burst
CSCed93959 Yes Performance issue when processing large no of SCCP
CSCed94093 Yes PIX:Nailed option no longer functions after 6.3.3 upgrade
CSCed94713 Yes ISAKMP NAT-T - peer_attrib not initialized correctly upon
CSCee02990 Yes PIX receiving two default routes don’t use the best metric
CSCee07717 Yes IKE/VPNC:out of order AM3/TM messages causes tunnel
CSCee09061 Yes PIX help lacks except arg for filter activex|java, ftp,
CSCee11231 Yes COSMETIC:PIX-4-407002 does not display global IP address
CSCee11278 Yes Change DPD algo to be less aggressive in detecting short
CSCee13451 Yes PIX HW Client IUA:VPN3k user idle timeout of 0 is
CSCee13473 Yes PIX HW Client IUA:user is reprompted despite passing
CSCee18849 Yes standby might crash if incorrect LU passed from active
CSCee18998 Yes AUS:PIX polls AUS with low privilege level, update fails
CSCee24747 Yes High complexity ACLs may require excessively much memory
CSCee27557 Yes FTP command traffic may ask for authorization even if not
CSCee33328 Yes TCP packet with class D source may result in a rst response
CSCee33617 Yes ssh process may leave unfreed memory
CSCee38484 Yes PIX 6.3.3.102 & 6.3.3.132 crash with pointers to websense
CSCee45177 Yes nat0acl + static:need deny for both private and public
CSCee46363 Yes possible reload with traceback in https_proxy thread under
CSCee49107 Yes PIX:FTP fixup block PORT response when packet exceeds 60
CSCee50614 Yes SIP:extra RTCP xlates created
CSCee55244 Yes SIP:RTP port is sometimes translated to odd global port
CSCee60446 Yes PIX sends 0.0.0.0 as Remote Address for Command
CSCee61905 Yes PIX crash when input is invalid for the aaa enable password
CSCee66594 Yes VPNC:Dropped P2 rekey packets may cause P1 delete too fast
CSCee66760 Yes MSS values are changing for tacacs+ pass thru
CSCee68864 Yes SIP:should not NAT Proxy-Auth field
CSCee70374 Yes PIX - Embedded NetBIOS IP not translated with Outside NAT
CSCee71039 Yes IKE logging improvements
Table 4 Resolved Caveats (continued)
ID Number
Software Release 6.3(4)
Corrected Caveat Title
30Resolved Caveats - Release 6.3(4)
OL-6317-01
Related Documentation
n visit
tion
Related DocumentationUse this document in conjunction with the PIX Firewall and Cisco VPN Client Version 3.xdocumentation at the following websites:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
Cisco provides PIX Firewall technical tips at the following website:
http://www.cisco.com/warp/public/707/index.shtml#pix
Software Configuration Tips on the Cisco TAC Home PageThe Cisco Technical Assistance Center has many helpful pages. If you have a CCO account you cathe following websites for assistance:
TAC Customer top issues for PIX Firewall:
http://www.cisco.com/warp/public/110/top_issues/pix/pix_index.shtml
TAC Sample Configs for PIX Firewall:
http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX&s=Software_Configura
TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:
http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX
Obtaining DocumentationCisco provides several ways to obtain documentation, technical assistance, and other technicalresources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.comYou can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
CSCee73793 Yes Feature:Add the ability for PIX to assign netmask to
CSCee75906 Yes H.323:Segmented TPKTs not handled by fixup
CSCee93282 Yes PIX crash at listen/http0
CSCee95572 Yes VPNC:Outside Management SAs should not come up when NAT-T
Table 4 Resolved Caveats (continued)
ID Number
Software Release 6.3(4)
Corrected Caveat Title
31Related Documentation
OL-6317-01
Obtaining Documentation
larlyle unit
from
tive byre in
click
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROMCisco documentation and additional literature are available in a Cisco Documentation CD-ROMpackage, which may have shipped with your product. The Documentation CD-ROM is updated reguand may be more current than printed documentation. The CD-ROM package is available as a singor through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product numberDOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html
All users can order annual or quarterly subscriptions through the online Subscription Store:
http://www.cisco.com/go/subscription
Ordering DocumentationYou can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentationthe Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
• Nonregistered Cisco.com users can order documentation through a local account representacalling Cisco Systems Corporate Headquarters (California, USA.) at 408 526-7208 or, elsewheNorth America, by calling 800 553-NETS (6387).
Documentation FeedbackYou can submit comments electronically on Cisco.com. On the Cisco Documentation home page,Feedback at the top of the page.
You can send your comments in e-mail to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of yourdocument or by writing to the following address:
Cisco SystemsAttn: Customer Document Ordering170 West Tasman DriveSan Jose, CA 95134-9883
We appreciate your comments.
32Documentation CD-ROM
OL-6317-01
Obtaining Technical Assistance
Cisconlinenical
TAC
you
ribeution. TAC
ernetnd P2
nitions.
ou
ourCisco
onsrvice
Obtaining Technical AssistanceFor all customers, partners, resellers, and distributors who hold valid Cisco service contracts, theTechnical Assistance Center (TAC) provides 24-hour, award-winning technical support services, oand over the phone. Cisco.com features the Cisco TAC website as an online starting point for techassistance.
Cisco TAC WebsiteThe Cisco TAC website (http://www.cisco.com/tac) provides online documents and tools fortroubleshooting and resolving technical issues with Cisco products and technologies. The Ciscowebsite is available 24 hours a day, 365 days a year.
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. Ifhave a valid service contract but do not have a login ID or password, register at this URL:
http://tools.cisco.com/RPF/register/register.do
Opening a TAC CaseThe online TAC Case Open Tool (http://www.cisco.com/tac/caseopen) is the fastest way to open P3 andP4 cases. (Your network is minimally impaired or you require product information). After you descyour situation, the TAC Case Open Tool automatically recommends resources for an immediate solIf your issue is not resolved using these recommendations, your case will be assigned to a Ciscoengineer.
For P1 or P2 cases (your production network is down or severely degraded) or if you do not have Intaccess, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 acases to help keep your business operations running smoothly.
To open a case by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)EMEA: +32 2 704 55 55USA: 1 800 553-2447
For a complete listing of Cisco TAC contacts, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
TAC Case Priority DefinitionsTo ensure that all cases are reported in a standard format, Cisco has established case priority defi
Priority 1 (P1)—Your network is “down” or there is a critical impact to your business operations. Yand Cisco will commit all necessary resources around the clock to resolve the situation.
Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of ybusiness operation are negatively affected by inadequate performance of Cisco products. You andwill commit full-time resources during normal business hours to resolve the situation.
Priority 3 (P3)—Operational performance of your network is impaired, but most business operatiremain functional. You and Cisco will commit resources during normal business hours to restore seto satisfactory levels.
33Obtaining Technical Assistance
OL-6317-01
Obtaining Additional Publications and Information
, or
nline
l as
r new
ignRL:
,et thetingtion,RL:
rnet
d
tml
re
Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installationconfiguration. There is little or no effect on your business operations.
Obtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various oand printed sources.
• TheCisco Product Catalogdescribes the networking products offered by Cisco Systems, as welordering and customer support services. Access theCisco Product Catalogat this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
• Cisco Press publishes a wide range of networking publications. Cisco suggests these titles foand experienced users: Internetworking Terms and Acronyms Dictionary, InternetworkingTechnology Handbook, Internetworking Troubleshooting Guide, and the Internetworking DesGuide. For current Cisco Press titles and other information, go to Cisco Press online at this U
http://www.ciscopress.com
• Packet magazine is the Cisco quarterly publication that provides the latest networking trendstechnology breakthroughs, and Cisco products and solutions to help industry professionals gmost from their networking investment. Included are networking deployment and troubleshootips, configuration examples, customer case studies, tutorials and training, certification informaand links to numerous in-depth online resources. You can access Packet magazine at this U
http://www.cisco.com/go/packet
• iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Intebusiness strategies for executives. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineeringprofessionals involved in designing, developing, and operating public and private internets anintranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.h
• Training—Cisco offers world-class networking training. Current offerings in network training alisted at this URL:
http://www.cisco.com/en/US/learning/index.html
34Obtaining Additional Publications and Information
OL-6317-01
Obtaining Additional Publications and Information
35Obtaining Additional Publications and Information
OL-6317-01
Obtaining Additional Publications and Information
This document is to be used in conjunction with the documents listed in“Related Documentation” section.
CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live,Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the CiscoCertified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net ReadinessScorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect,RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCOare registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationshipbetween Cisco and any other company. (0406R)
Copyright © 2004 Cisco Systems, Inc.All rights reserved.
36Obtaining Additional Publications and Information
OL-6317-01
top related